Wednesday, August 6, 2008

Police in Amritsar has instructed cyber cafe owners to start tracking their users (Times of India). Now cafe owners are required to maintain the list of their users along with the time they have used a particular computer. Each user has to furnish some form of identity in the form of driving licence or college ID cards. In case they can't, then they have to use CCTV's to track students.

I could not get what the objective of such a record keeping is. Is it to track people who do not have a computer at home or to trace terrorist? Second, who can get access to this data. Can one parents or friends verify if you were using cafe at a particular time?

1. Well definitely people who have a ID card but not a home computer can be exactly tracked. If browser cache has not been cleaned up, then the websites they visited can also be traced.

2. If such data is aggregated at a central place, then a simple query can exactly tell which all cafes a particular person visited.

3. Can people without any form of ID card can use computers?

If the objective is to trace terrorist then the method has to be accurate for not blaming innocent citizens. However, a simple described logging mechanism seems quite inaccurate because of following problems:

1. Identity problem because of NAT: Many cafe operators split a single incoming connection with 10 to 20 computers. This is achieved using a Network Address Translation (NAT) device. The outside world will only see one computer. So if one discovers a particular IP that sent a threatening email then one has to identify which one of the 20 computers was used. Without keeping track of connection tables in the NAT this is not possible. It is definitely possible that finding 20 suspects is still good for many purposes.

2. Anonymity provided by email services: Email providers like Gmail do not append your IP address to an email that you sent using the web interface. Gmail only appends IP address to the outgoing mail if you have used their IMAP interface. So if you find a threatening mail sent through Gmail, the last locatable IP on the email will be a Gmail server. You cannot locate the cafe that was used until and unless you force Google to release their if they have collected it.

3. Infected machines: Machines can be infected with viruses, botnets, key loggers and spammers. All these machines can be used for any purpose including sending emails without any one noticing it. So cafe owners who have infected machines may be sending illegitimate mails and pointing to innocent users.

4. Bypassing tracing: A person can enter a cafe and start a process that listens for mails on a TCP port. Then he goes to home and redirects mails through the cafe computer. If NAT's impair such activity, then he can tunnel out such a connection. Cafe owners won't even know that a person who came in the day time actually sent an email from his computer in the night.

I do not know if such information can misguide police into detaining innocent people but certainly such information is not completely reliable.